Every year, we ensure that each employee reviews and signs a code of business conduct that requires, among other things, the safeguarding and proper use of customer information. Our representatives undergo privacy training to ensure they are aware of and respect your rights. We also place controls on the protection and use of personal information within our systems and websites.
United States customers can review their CPNI rights and Allstream’s obligations here: https://support.allstream.com/knowledge-base/customer-proprietary-network-information-cpni/
Allstream provides direct communications infrastructure services to customers in North America. As part of providing those services, Allstream may act as a “controller” or a “processor” (defined below), or neither. This privacy statement explains our position with respect to the different services Allstream provides.
Data subjects – people or companies whose information is processed.
Personal information – any information that relates to an identified or identifiable living individual. This includes, for example, information such as name, address, telephone number, email address, and identification number. If personal information is effectively de-identified so that it can no longer be linked to an identifiable individual, the information is no longer ‘personal’. De-identification is an important tool for protecting privacy.
Customer Proprietary Network Information (CPNI) – CPNI is information telecommunications companies gather about their customers that relates to the quantity, technical configuration, type, destination, location, or amount of use of telecommunication services. Communications providers in the United States are obligated to protect customers’ CPNI rights, as outlined in the FCC’s CPNI rules at 47 C.F.R. Part 64, Subpart U. While this Privacy Statement generally covers privacy rights and obligations related to Personal Information, it is important for U.S. customers to know their CPNI rights, which can be reviewed here: https://support.allstream.com/knowledge-base/customer-proprietary-network-information-cpni/
Processing – any set of actions which is performed on personal information such as collecting, recording, organizing, structuring, storing, altering, retrieving, using, disclosing, or destroying.
Controller – the entity that determines the processes and means of processing.
Processor – the entity that processes personal information on behalf of the controller.
How and Why Allstream Collects Information
We collect information during the application process, when communicating or transacting business with you, and when providing you with a product or service. Occasionally we collect information about you from third parties, such as credit grantors or consumer reporting agencies for credit checks.
We collect information to:
- Establish and maintain a responsible commercial relationship with you. For example, we may collect information to confirm your identity or to establish credit worthiness.
- Understand your needs and preferences, including through data analytics, and to recommend relevant offers, products, services, and bundled discounts.
- Understand who the people are that use our products and services, how they use them, and how we can improve them.
- Manage and develop our business and operations. For example, we monitor usage volumes in order to plan and provision our communications networks. We also track product sales to determine the success of features, promotions, and pricing.
- Meet legal and regulatory requirements. For example, we may be required to collect information by a court order or to demonstrate compliance with a CRTC or FCC requirement.
Your personal information will not be used for any other purpose without your consent.
For Data Services and Network Infrastructure
Allstream provides infrastructure and bandwidth services that permit customers to transport data in accordance with customer contractual requirements. The customer is responsible for ensuring the data transmitted through these services is appropriately protected and compliant with current privacy legislation. Although customer information is moving through company infrastructure, Allstream is NOT acting in the role of a processor of customer data. Allstream does not possess any direct or administrative access to any customer content that is transmitted through our communication infrastructure. This separation is maintained through both technological and security controls implemented on our service architecture.
For Allstream.com and Other Associated Allstream Service Portals
Allstream utilizes websites for the display of corporate information as well as to market and transact Allstream services. Customers and web site visitors interact with various functions on these pages that may require the collection and use of personal information to complete those functions.
Allstream collects data from data subjects (including data that may be considered “personal information”) to enable communications with web site visitors and customers, administer customer accounts, and comply with customer contracts.
Categories of Personal Information Collected
Allstream utilizes several categories of what may be considered personal information to conduct operations. The following categories are broad descriptions aligned with business operations.
Contact Information – Allstream collects customer name, business address, telephone number, job title, email address, and information needed for billing purposes.
Allstream generally collects this information directly from data subjects. In cases where contact information is provided by the customer in accordance with contractual requirements, the customer is responsible for ensuring that any personal information submitted to Allstream has been obtained in accordance with relevant data protection requirements. Where applicable, customer warrants that it has obtained any required consent from the data subject prior to providing personal information to Allstream.
Network Traffic Data – Allstream collects data that is captured through system logging and data flow management systems including, but not limited to, source and destination Internet Protocol [IP] addresses and domain name, date and time indicators, and other network layer protocol header information as collected based on service capabilities.
NOTE: Although IP addresses are collected within network traffic logs, Allstream does not possess the necessary capabilities without the involvement of the impacted “customer” to identify an individual.
Website Visitor Information – Allstream collects website visitor information in the form of generic website statistics and cookies including device, operating system and browser type, country and time zone indicators, and other system settings.
Website Application Information – Allstream collects contact information associated with the creation of application user credentials (e.g. Allstream service portals).
Allstream collects this information directly from data subjects using application interfaces and provides privacy notices related to each application’s purpose and use of personal information collected. Current applications support service administration/transactions, recruitment and facility access.
Purposes and Legal Bases for Processing Personal Information
Allstream processes contact information as necessary for the performance of a contract between Allstream and the Customer. Contact information is needed for ongoing contract administration, and for activity related to the provision of service, such as to provide customer notices and service announcements, to assist with service incident resolution, to install and maintain services on customer premises, and to address billing and payment inquiries.
Allstream processes identity information as necessary for the performance of a contract between Allstream and the Customer. Customer contracts require that physical security controls be implemented to prevent unauthorized access to network systems and data. Identity information is collected to authenticate individuals based on customer approvals.
Allstream processes network traffic data consistent with its legitimate interests to ensure the integrity of services and to support security incident and event management functions.
Allstream processes website visitor information and contact information with our legitimate interest to offer and provide products and services, send promotional materials and marketing communications regarding programs (where customers have not opted-out of such communications), offers and surveys, deliver targeted online advertising, communicate with returning visitors and auto-fill web-based forms, respond to inquiries and to operate, evaluate, and improve our business.
Allstream processes website application information with our legitimate interest to create and maintain user credentials to allow authenticated user access to self-serve functions related to telecommunication services or to submit recruitment information for consideration of employment.
Categories of Recipients of Personal Information
Allstream shares personal information with several categories of recipients.
- Contact information may be used/accessed by Allstream employees including client services, sales, network/service operations staff and both Allstream and third party operations personnel.
- Network traffic data may be used/accessed by designated Allstream network administrators/platform managers and Allstream Security Operations Centre [SOC] staff.
- Website visitor information is used/accessed by authorized Allstream marketing and sales representatives and contracted third party digital marketing and advertising partners.
- Website application information is used/accessed by designated subject matter experts related to service order processing and recruitment, Allstream application administrators and designated help desk resources assigned to support application operations.
Allstream endeavors to limit data transfers wherever possible and will only transfer data consistent with applicable laws and regulations. Where data transfers are necessary, Allstream ensures that recipients of this data have appropriate safeguards in place. With respect to the personal information categories described above, Allstream executes necessary data transfers on the following legal bases:
- Contact information and website application information is managed within Salesforce and UltiPro on infrastructure located in the United States. This data transfer is necessary for the performance of a contract between Allstream and the Customer.
- Network traffic data is managed within our network operation and security events management tools within the United States and Canada.
- Website visitor information is managed within our hosted website platform within the United States.
Storing or Processing Customer Information Outside the Country
In some cases, personal information collected by the company on behalf of customers in one country may be stored and processed outside of that country (i.e., in the United States or Canada) to provide you with service or to support operations.
While the information may be subject to the legal jurisdictions of these countries, the Allstream employees and agents or third-party companies that provide us with these services have obligations to protect such information. For example, the information is typically provided only after the companies have agreed to be bound by Allstream’s privacy policies and/or signed contracts setting out detailed privacy safeguards. Moreover, the information may only be used for the purposes of providing the services in question.
Sharing Personal Information with Outside Organizations
We do not provide personal information to any party outside of our company except in limited circumstances in which it is necessary for us to do so or if you have otherwise given consent. The third parties we may provide with personal information include:
- Our agents acting on our behalf, such as a company hired to perform installation work on our behalf
- Another communications service provider, to offer efficient and effective communications services (e.g., to provide service by utilizing another carrier’s circuit) or as required by law
- A collection agency, for the express purpose of the collection of past due bills
When we provide personal information to third parties, we give only the information that is required under the specific circumstances. That information is used only for the purpose stated and is subject to strict terms of confidentiality.
Disclosure of Personal Information
Legal and Emergency Exceptions
In certain urgent circumstances, we may be required to collect, use or disclose personal information without your knowledge or consent. For example:
- During the investigation of potential fraud, a breach of an agreement or the breaking of provincial, federal or state laws
- If we’re asked to comply with a subpoena, warrant, court order, or other lawful request
- If there is an emergency where someone’s life, health or security is threatened.
Verification Protocols Used to Protect Personal Information
We place great emphasis on the security of your personal information and have safeguards in place to ensure that it is not disclosed to an unauthorized third party which is why, when calling us, you’ll be asked to confirm certain details regarding your account.
This safeguard will help us prevent pre-texting, often referred to as “social engineering”, which refers to the fraudulent and illegal practice of misrepresenting who you are in order to obtain access to someone else’s information. We are aware that pre-texting, although illegal, has been a practice employed by unauthorized third parties trying to obtain access to customer information.
We confirm that you are an authorized user on the account and ask you to confirm your account number and the password associated with the account.
We therefore ask for your patience and understanding when you are asked to confirm or provide such information as this process has been established to protect your personal account information.
Monitoring Customers’ Use of our Services
Similar to other service providers, we may monitor our customers’ use of our services from time to time in accordance with our acceptable use policy and applicable laws.
For example, in the normal course of business, we may need to review certain aspects, such as your bandwidth consumption. This is to ensure that our service is functioning properly, but it may also be to ensure your compliance with our Terms of Service.
Some of the things that may trigger monitoring of your use include:
- Harassment of other users
- Uploading, downloading or otherwise transmitting materials which are protected by copyrights or other intellectual property rights
- Assisting or engaging in the fraudulent use of our services
For additional information, please refer to the guidelines set out in your Terms of Service regarding the responsible use of Allstream Services.
Customer Call Recording
Because we are committed to continually improve our customer service, some customer calls may be recorded and used for the ongoing training and development of our employees. Consistent with federal privacy legislation, customers are informed by a pre-recorded message that their call may be recorded for quality assistance purposes. After hearing this message, should you decide to continue with the call, your consent to record the call is implied. Otherwise, you may contact a customer service representative through our Contact Us section.
We may also record outbound calls placed to our customers for similar purposes.
Analytics simply means the analysis of information, often aggregated, to get statistical insights. The insights gained from analytics can be used in a variety of ways.
Some examples of how we use analytics in our operations to improve the quality and reliability of our services include: combining selected usage data of large number of customers to optimize our current network or detect areas of congestion or possible problems. We can even use analytics to help us make decisions about where we need to expand our facilities to meet future demands, what new services to develop, and what broadcasting content our viewers will enjoy.
We may use information that has been securely aggregated and de-identified for analytics. Any personal information is de-identified so that customers cannot be identified as individuals. We use the most up-to-date de-identification methods and regularly review these methods to ensure your privacy is protected. We may use that de-identified information to improve our operations, and to develop analytic marketing reports for our use.
Allstream maintains a corporate records retention policy and schedule. Specific retentions are based on data categories within the Allstream Data Retention section of the Data Security Standard. However, various data elements when included within corporate documents will be governed by corporate and legal requirements.
Data Subject Rights
You have the right to:
- Request further details on the processing of your personal information;
- Request a copy of the personal information that you have provided to us;
- Correct or remove any inaccurate personal information we hold; and
- Object to any processing based on legitimate grounds, unless our reasons for undertaking that processing outweigh any prejudice to your data protection rights.
To update, correct, or remove personal information or to object to the processing of your information related to web site visit or web application support, please contact us at email@example.com or through “support” options on portals or applications.
NOTE: Where contact information has been provided by your employer [our Customer], direct your request to your employer for corrective action. Due to the nature of personal information use, Allstream reserves the right to verify any corrections with customer contract authorities or authorized users prior to making any changes.
For all other inquiries, please contact us, in writing, at firstname.lastname@example.org. In your request, please clearly articulate the nature of the concern/request as specifically as possible. Prior to release of any information, we may be required to ask for additional information from you in order to verify your identity before disclosure.
If you consider that privacy requests have not been addressed adequately by Allstream or the processing of Personal Information infringes the law, you have the right to lodge a complaint with the office of the Data Protection Commissioner or Supervisory Authority in the country where you reside.
Organization Details and Privacy Contact Information
Attn: Vice President, Data Privacy
18110 SE 34th St., Building One, Suite 100
Vancouver, WA 98683
Information Security will enforce Allstream’s privacy policies. Non-compliance may be considered a breach of the Code of Conduct and subject to action by Human Resources. Any violations of the policy may be escalated to and reviewed by Information Security, Legal, or other stakeholders for recommended enforcement action.